Securely Encrypt Removable Media with Ubuntu

January 2010

The other day my Dad mentioned that "any true geek always carries a USB drive with him". I proved my geek-hood by producing the 2G titanium thumb drive from around my neck. I then did him one further by telling him that the drive was encrypted with AES 256 bit encryption. I don't know whether or not he was impressed, but I sure proved that I am a true geek. It was this experience that prompted me to share my instructions on how to securely encrypt any removable drive.

Following the steps outlined in this tutorial will wipe all data from the device / partition that you present to the encryption utility. You cannot encrypt an existing system using this method and retain the data. Please ensure that you have backups of your data, or that your data is otherwise expendable.

Step 1:

The first step in this tutorial is installing the cryptsetup utility. This tool is part of the cryptsetup package, which is available in the default repositories. You can search for this using your favorite package management utility or install from the terminal using the command:

sudo aptitude install cryptsetup

Step 2:

Once you have the required utility installed, we'll need to prepare the device for use. This step will alter the partition table on the device, potentially causing loss of data. Again, refer to the warning above.

Identify the Device

We need to know the /dev/ entry that the device is assigned in order to successfully partition and encrypt it. There are two methods outlined below which can aid you in determining the device name. In many cases the device may be listed as /dev/sdb1, /dev/sdc1, etc.

The first method of identifying the device is using the fdisk utility. Simply listing all available partitions may help you determine the device. Hint: you can use the size of the device to help determine its device entry if needed.

In this example I have determined that my 1G USB drive is detected as /dev/sdb1. This will be the device entry that I will use moving forward.

A second method that you can use to determine the device is the dmesg utility. The dmesg utility outputs kernel-level messages to the console. One little "trick" is to unplug and replug your removable disk, and then run dmesg. You should see output similar to:

Step 3:

To make sure that your kernel is up to date concerning the newly created / altered partition table you may need to run the command:

sudo partprobe

Chances are on modern systems that the kernel is already updated with the new information, but it doesn't hurt to make sure. This also helps avoid potential problems later due to a mismatch between the partition table and the kernel.

Step 4:

We've identified the drive we want to encrypt and prepared it with a single partition. We're now ready to apply the encryption.

There are a number of options available to us at this point. I will outline a few and let the reader decide which method they prefer. I will mention that, of these options, none of them are considered "the best". Different options however are better for different situations. It depends on your level of security needs and the amount of time you want to spend on the encryption. If you want things done quickly and have a basic level of fairly-hard-to-break encryption, you can use Option 1. If you are super paranoid and don't mind letting the encryption procedure take some time (hours or even days on larger disks!), I would suggest Option 3. Somewhere in the middle, Option 2 is likely fine.

To help avoid pattern-based encryption attacks, we'll write data to the partition prior to encryption. As per the note above, select one of the below options:

Option 1

sudo dd if=/dev/zero of=/dev/sdbX bs=4K

This method is the fastest, and gives adequate protection in most situations.

OR

sudo badblocks -vfw /dev/sdbX [block-size-of-your-device]

This option will write 5 data patterns across your drive and overwrite and verify the data. This is used to check for bad blocks, but can also be used to wipe out any existing data. This method is also reasonably fast.

Option 2

sudo dd if=/dev/urandom of=/dev/[your device] bs=4K

This method should be considered very secure. It is based on the truly random option given below but is a pseudo-random data. This should be considered a very secure option, however it will increase the time significantly.

Option 3

sudo dd if=/dev/random of=/dev/[your device] bs=4K

This is considered the most secure but will take the most time. It is important to generate a lot of random data on your machine to help this process along. Launching applications, generating high disc I/O, mouse movements, etc. Again, this method is the most secure but increases the time the most. This method may take days.

Step 5:

We are now ready to encrypt the partition. In this section I will outline using Linux Unified Key Setup (LUKS) encryption with my preferred string length, hash and cipher. You may change these if you prefer. See the man page for information on other options.

Running this command will remind you that all data will be lost (remember, we've already wiped our data in the previous step.) This is also where we will define the passphrase to unlock the encryption.

To begin the encryption process, use one of the commands below. The first uses my preferred cipher. The second uses the default settings.

My suggested options:

sudo cryptsetup luksFormat /dev/sdbX -c aes -s 256 -h sha256

Default options:

sudo cryptsetup luksFormat /dev/sdbX

If you see an error at this point similar to "Failed to setup dm-crypt key mapping. Check kernel for support for the aes-cbc-plain cipher specand verify that /dev/sdbX contains at least 258 sectors." you’ll need to ensure the kernel module is loaded:

sudo modprobe dm-crypt

You may also want to have this module automagically added at boot time by appending this line to your /etc/modules file:

dm-crypt

Step 6:

Now that we’ve created the encryption basic layout, we need to open the encrypted partition for use and define it a name. This is the name that will appear when the device is mounted in the future.

sudo cryptsetup luksOpen /dev/sdbX name

The name can be whatever you like. I use things like 'secure' or 'vault' or 'encrypt'.

Step 7:

Now that we have the device open and added to the dev mapper system we can actually create a file system on it and use it. One last command and we’ve got ourselves an encrypted, usable filesystem.

sudo mkfs.ext4 /dev/mapper/name -L label

Replace 'name' with the name that was applied above, and label is the filesystem label. I generally match the two. This also assumes an ext4 file system. If you know you want a different filesystem type I’m assuming you also know the right command.

If you’ve come this far your device is ready to use! To have your system automatically mount the device and prompt you for the passphrase, simply unplug and re-plug the device into your machine. You should find that upon connecting the device, that your desktop prompts you for the encryption passphrase before it can load. If you (or someone else!) is unable to provide the encryption passphrase, the device can not be mounted and the data never read. This setup should also be global to any other Ubuntu machine, with the one dependency that cryptsetup may be required.

Summary

With the prevalence of USB thumb drives and other removable media it is important to protect our data. It is all to easy to lose such a small device, and they too often have personal data on them. Protect yourself and protect your data!

Alerts & Offers

Series & Level

We understand your time is important. Uniquely amongst the major publishers, we seek to develop and publish the broadest range of learning and information products on each technology. Every Packt product delivers a specific learning pathway, broadly defined by the Series type. This structured approach enables you to select the pathway which best suits your knowledge level, learning style and task objectives.

Learning

As a new user, these step-by-step tutorial guides will give you all the practical skills necessary to become competent and efficient.

Beginner's Guide

Friendly, informal tutorials that provide a practical introduction using examples, activities, and challenges.

Essentials

Fast paced, concentrated introductions showing the quickest way to put the tool to work in the real world.

Cookbook

A collection of practical self-contained recipes that all users of the technology will find useful for building more powerful and reliable systems.

Blueprints

Guides you through the most common types of project you'll encounter, giving you end-to-end guidance on how to build your specific solution quickly and reliably.

Mastering

Take your skills to the next level with advanced tutorials that will give you confidence to master the tool's most powerful features.

Starting

Accessible to readers adopting the topic, these titles get you into the tool or technology so that you can become an effective user.

Progressing

Building on core skills you already have, these titles share solutions and expertise so you become a highly productive power user.